We've got an instance that we're finally ready to go with Active Response
on. 2.8, running on a RHEL6 server.
Vanilla OSSEC works great; emails us alerts:
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
<white_list>10.127.70.130</white_list>
</global>
<email_alerts>
<email_to>[email protected]</email_to>
<level>5</level>
<do_not_group />
</email_alerts>
So for active response, I've done the usual active response stuff, and it
works great! Test by brute ssh; puts an entry into the log, and slams
iptables shut.
<rule id="100002" level="3">
<decoded_as>ar_log</decoded_as>
<options>alert_by_email</options>
<group>active_response_notification</group>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Active response firewall-drop.sh was run, host
blocked</description>
</rule>
Except... no email alert, to anyone. I tried the obvious and set the level
to "14" - still no alert.
Now, the only weird thing I noticed in the alerts.log was this:
** Alert 1409231362.174249: -
ossec,active_response,ative_response_notification
2014 Aug 28 09:09:22 (roosevelt)
10.127.72.105->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 10.127.72.107
Thu Aug 28 09:09:20 EDT 2014
/var/ossec/active-response/bin/firewall-drop.sh add - 10.127.72.107
1409231360.173267 5712
Note the 'ative_response_notification'. ative, not active, but I don't
know if this could be doing it.
Suggestions appreciated...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
